In-depth security news and investigation

Posts Tagged: ExxonMobil Rewards+

Energy giant ExxonMobil recently sent snail mail letters to its Plenti rewards card members stating that the points program was being replaced with a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a confusing toll free number and directs customers to a parked page that tries to foist Web browser extensions on visitors.

The mailer (the first page of which is screenshotted below) urges customers to visit exxonmobilrewardsplus[dot]com, to download its mobile app, and to call “1-888-REWARD+” with any questions. It may not be immediately obvious, but that “+” sign is actually the same thing as a zero on the telephone keypad (although I’m ashamed to say I had to look that up online to be sure).

Anyone curious enough to guess at other ending numbers other than zero will wind up at a call center advertising “free” Caribbean (1) cruises or at a pricey adult chat service dubbed “America’s hottest talk line” (6).

Worse, visiting the company’s new rewards Web site in Google Chrome prompted my browser to run a “security check,” followed by a series of popups offering to install a Chrome extension called “Browsing Safely.”

That extension changes your default search engine to Yahoo and appears to redirect all searches through a domain called lastlog[dot]in, which seems to be affiliated with an Israeli online advertising network. After adding the Browsing Safely extension to Chrome using a virtual machine, my browser was redirected to Exxon.com.

The Google Chrome extension offered when I first visited exxonmobilrewardsplus-dot-com.

Many people on Twitter who expressed confusion about the mailer said they accidentally added an “e” to the end of “exxonmobil” and ended up getting bounced around to spammy-looking sites with ad redirects and dodgy download offers.

ExxonMobil corporate has not yet responded to requests for comment. But after about 10 minutes on hold listening to the same Muzak-like song, I was able to reach a customer service person at the confusing ExxonMobil Rewards+ phone number. That person said the Web site for the rewards program wasn’t going to be active until July 11.

“Currently the Web site is not available,” the representative said. “Please don’t try to download anything from it right now. It should be active and available next week.”

It always amazes me when major companies with oodles of cash (ExxonMobil made $20 billion last year) roll out new marketing initiatives without consulting professionals who help mitigate security and privacy issues for a living. It seems likely that happened in this case because anyone who knows a thing or two about security would strongly advise against instructing customers to visit a parked domain or one that isn’t yet fully under the company’s control.

Update, July 11, 11:36 a.m. ET: As several readers have observed in the comments below, it appears that ExxonMobil has registered a different domain for its new rewards program: https://exxonandmobilrewardsplus.com/welcome/home (note the inclusion of the word “and” between Exxon and Mobil). This domain is advertised as the official new rewards program domain via ExxonMobil’s corporate homepage, exxon.com (albeit via a redirect).